Multi-factor authentication made easy

It’s multi-factor not multi-app

Many of you will I hope have implemented multi-factor authentication (MFA) when using remote access. If you haven’t then please see my article here and then get your IT team to set it up. The majority of MFA (or two-factor) implementations will use an app on a smartphone and will ask the user to press approve or to enter a code shown on the screen (but not an SMS). Due to the widespread use of Office 365, you may be using the Microsoft Authenticator app. But if you have tried to set up MFA for cloud based applications such as Xero, WordPress, RealMe and MailChimp you will see that they ask you to use Google Authenticator. So you could end up with two authenticator apps for different web sites or services.

One app to rule them all

But you can in fact use one app. Both the Microsoft and Google Authenticator apps are based on the OTP (one time passcode) standard. So if you see a cloud service asking for Google Authenticator, you can scan the QR code with Microsoft Authenticator and it will work. I have logins for Azure, 365, MailChimp, Xero, RealMe, Buffer and two different WordPress sites set up on my Microsoft Authenticator app.

Using Microsoft sites with Google Authenticator takes a bit more work. When asked what mobile device you would want to install the app on, choose Other. You will then see the QR code that you can scan with Google Authenticator.

The future

The use of multi-factor authentication is growing, especially as on-premise software such as MYOB becomes cloud-based. And many organisations, especially government departments, are making MFA compulsory for their online services. Using a mobile app as the second form of authentication (in addition to your password) means that you can log in even when you don’t have cellphone reception (the code the app shows you does not depend on a signal). And using one app rather than two makes it even easier.

If you’d like to understand why you should be using MFA to secure your data and operations, and the other cyber security risks you should consider and minimise, then please get in touch.